Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B2B9F10D66 for ; Thu, 6 Feb 2014 18:56:19 +0000 (UTC) Received: (qmail 45871 invoked by uid 500); 6 Feb 2014 18:56:16 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 45841 invoked by uid 500); 6 Feb 2014 18:56:16 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 45736 invoked by uid 99); 6 Feb 2014 18:56:12 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Feb 2014 18:56:12 +0000 Date: Thu, 6 Feb 2014 18:56:12 +0000 (UTC) From: "Daryn Sharp (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HADOOP-10301) AuthenticationFilter should return Forbidden for failed authentication MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10301?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13893657#comment-13893657 ] Daryn Sharp commented on HADOOP-10301: -------------------------------------- Sigh. Nothing is ever as easy as it seems. I first was going to specifically check if response.status=401 and !response.containsHeader(WWW-Authenticate). HttpResponse appears to let you set the status, but not query it... So I fell back to checking errCode=401 and !response.containsHeader(WWW-Authenticate). Now all the mocked unit tests fail because they don't persist any state from the response.setHeader, so containsHeader always returns false. :| So, I can: # Try to change the unit tests and hope other projects' tests don't break. # Call it a day and unblock 2.3 because I can't find an existing code path that will cause an illegal 401. If you agree with #2, we really should file another jira to cleanup the filter + handler interactions. Among other things, the auth cookie should exclusively be a feature of the auth filter. Auth handlers shouldn't know anything about cookies. That should make the logic much simpler and easier to enforce proper auth handler behavior, but it's too much for me to do right now. > AuthenticationFilter should return Forbidden for failed authentication > ---------------------------------------------------------------------- > > Key: HADOOP-10301 > URL: https://issues.apache.org/jira/browse/HADOOP-10301 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 > Reporter: Daryn Sharp > Assignee: Daryn Sharp > Priority: Blocker > Attachments: HADOOP-10301.branch-23.patch, HADOOP-10301.branch-23.patch, HADOOP-10301.patch, HADOOP-10301.patch > > > The hadoop-auth AuthenticationFilter returns a 401 Unauthorized without a WWW-Authenticate headers. The is illegal per the HTTP RPC and causes a NPE in the HttpUrlConnection. > This is half of a fix that affects webhdfs. See HDFS-4564. -- This message was sent by Atlassian JIRA (v6.1.5#6160)